Incident Response & Digital Forensics
🚨 Incident Response & Digital Forensics
Overview
This skill enables Claude to assist with structured incident response operations, digital evidence collection and preservation, forensic timeline analysis, memory forensics, and comprehensive post-incident reporting. It follows NIST SP 800-61 and SANS incident handling methodology.
Prerequisites
Required
- Python 3.8+
pyyaml,jinja2,pandas
Optional
- Volatility 3 — Memory forensics
- Autopsy / Sleuth Kit — Disk forensics
- plaso / log2timeline — Timeline generation
- KAPE — Evidence collection (Windows)
- velociraptor — Endpoint forensics
pip install pyyaml jinja2 pandas python-dateutil
Core Capabilities
1. IR Playbook Creation & Execution
When the user asks to create or follow an IR playbook:
- Identify the incident type (ransomware, phishing, data breach, insider threat, DDoS, malware, account compromise)
- Generate a step-by-step playbook following the PICERL framework:
- Preparation — Verify tools, access, and communication channels
- Identification — Confirm the incident, scope, and severity
- Containment — Short-term and long-term containment strategies
- Eradication — Remove threat actors, malware, and persistence
- Recovery — Restore systems and verify integrity
- Lessons Learned — Post-incident review and improvement
- Include role assignments (IR Lead, Forensics, Comms, Legal)
- Define escalation criteria and communication templates
- Set timeline expectations for each phase
2. Evidence Collection & Preservation
When the user asks to collect evidence:
- Follow order of volatility (most volatile first):
- Running processes, network connections, memory
- Temporary files, login sessions
- Disk images, log files
- Backup media, physical evidence
- Document chain of custody for each evidence item
- Calculate and verify cryptographic hashes
- Create forensic images where applicable
- Preserve log files from relevant sources
- Generate evidence inventory manifest
3. Forensic Timeline Analysis
When the user asks to build a timeline:
- Collect timestamps from all available sources (logs, filesystem, registry, memory)
- Normalize timestamps to UTC
- Correlate events across multiple data sources
- Identify the initial compromise (patient zero)
- Map the kill chain progression
- Highlight critical events with context
- Export timeline in CSV/JSON/HTML format
4. Memory Forensics
When the user asks about memory forensics:
- Guide memory acquisition (live vs. dead analysis)
- Profile identification for Volatility
- Process listing and analysis (pstree, pslist, psscan)
- Network connection extraction (netscan)
- DLL and module analysis
- Registry hive extraction from memory
- Malware detection in memory artifacts
- Code injection detection
5. Post-Incident Reporting
When the user asks for an IR report:
- Executive summary (non-technical audience)
- Incident timeline with visual representation
- Scope and impact assessment
- Root cause analysis
- Remediation actions taken
- Recommendations to prevent recurrence
- Compliance notification requirements (GDPR, HIPAA, PCI-DSS)
Usage Instructions
Example Prompts
> Create an incident response playbook for a ransomware attack
> Help me collect forensic evidence from this compromised Windows server
> Build a timeline from these log files to trace the attack
> Guide me through memory forensics with Volatility on this dump
> Generate a post-incident report for management
Script Reference
evidence_collector.py
python scripts/evidence_collector.py --host 192.168.1.100 --output evidence/ --type full
python scripts/evidence_collector.py --logs /var/log/ --output evidence/ --type logs-only
timeline_builder.py
python scripts/timeline_builder.py --logs ./collected_logs/ --output timeline.csv
python scripts/timeline_builder.py --logs ./logs/ --format html --start "2024-01-15" --end "2024-01-16"
Integration Guide
- ← CSOC Automation (11): Receive triaged alerts requiring IR
- → Threat Hunting (06): Feed IOCs for environment-wide hunting
- → Malware Analysis (05): Analyze collected malware samples
- → Log Analysis (12): Deep-dive into specific log sources
References
More from masriyan/claude-code-cybersecurity-skill
reverse engineering & binary analysis
Binary analysis, disassembly, decompilation, firmware RE, and protocol reverse engineering
10cryptographic analysis & assessment
Cipher identification, SSL/TLS auditing, hash analysis, key strength assessment, and crypto implementation review
10exploit development & payload engineering
Proof-of-concept development, payload crafting, shellcode generation, and exploitation techniques
10vulnerability scanning & assessment
Automated vulnerability scanning, CVE detection, dependency auditing, and security configuration assessment
7cloud security & container hardening
AWS/Azure/GCP security auditing, container hardening, IaC scanning, and Kubernetes security
7blue team defense & hardening
System hardening, detection engineering, baseline monitoring, and patch management
7